It got a lot darker the last few days, and this is not going to change in the short term -- and might not change at all. From Jonny Evans:
Given even the big tech firms are unaware of these gaps, there's no way then of knowing that a user's data safe.The author suggests that this is "somewhat less" of a problem for US-based firms in that "The Constitution" protects them (somewhat.)
In the event that the big tech firm's -- by their own admission -- were unaware of government monitoring of their services, then users are left in a position in which they now know their service providers cannot in sincerity guarantee their data is safe.
False.
It is at least as big a problem for a US-based company as a foreign one and is far worse if you happen to be a firm with material international business connections because by definition you are a target with cross-border traffic!
The revelation of this government program means that there is no cloud service provider that is secure and can be trusted.
Remember that all of them have explicitly denied "quietly cooperating" with the government as was claimed in the disclosure. That is, they all say they'll comply wth a subpoena (as they must) but all denied the allegation of active involvement that was originally leveled.
This means that either (1) they're lying (which is bad) or (2) the government has picked off the traffic upstream of them without their active involvement (which is far worse.)
And by the way I have fairly good reason to believe it's at least in part #2, but in today's Internet I can't prove it as I no longer have the access to core equipment where I can look for myself.
I can tell you, however, that this game is not new, and that dates from my time running MCSNet -- when I did have such access.
What I do know is how such an interception could be constructed even if the connection in question is allegedly secured by SSL or similar protocols with relatively-minimal cooperation by the provider in question.
Either way, however, the upshot of this incident means that at a corporate level there is no such thing as security for data that lives beyond your physical corporate walls.
Period.
There is no way to fix this without binding, legally-enforceable at both an "all damages" plus criminal level commitment for violations, and you're not going to get that.
Let's be frank folks: When was the last time you saw any large corporate CEO get nailed up upon the cross and go to prison? One big bankster? Any big bankster? Never happens, right?
Why would you believe it would happen to the CEO of Google, Microsoft or Apple if they violated your security -- either directly or indirectly?
That means that your data has to live within a place you physically control and then you must provide the environment such that it never leaves or exists outside of an encrypted channel where you control everything from the root CA keys on down.
For any who have the first shred of concern of corporate security and desire to not be the Board Member who gets skewered when, not if, your company's data gets filched or worse the cloud just evaporated in a puff of smoke.
No comments:
Post a Comment